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Abstract 

After revisiting the Cantor-Zassenhaus polynomial factorization algorithm, we describe a new 
simplified version of it, which entails a lower computational cost. Moreover, we show that it 
can be used to find a factor of a fully splitting polynomial of degree t over with 0{^) 
attempts and over ¥pm for odd p with O(^) attempts. 
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1 Introduction 

The Cantor-Zassenhaus polynomial factorization algorithm ([6]) is an efficient (polynomial-time) 
probabilistic algorithm for factoring polynomials over a finite field ¥pm, that are the product of 
irreducible polynomials with a common degree s and multiplicity one. When the multiplicity 
is above 1, the factors can be separated by computing the greatest common divisor of the given 
polynomial and its formal derivative. If the irreducible polynomials have different degrees, the 
factors are separated by computing the greatest common divisors with polynomials of the form 
^p"""-i _ -^^ starting from r = 1, so as to obtain the product of all irreducible factors of degree 
r = 1, 2, . . . (see e.g. lZ|). Thus standard methods can be used to reduce the problem to the above 
case. 

We will now introduce the Cantor-Zassenhaus factorization algorithm, providing a non- 
standard explanation which will be the basis for the rest of the paper: in the Sections below we 
will show how it can be improved, giving a new description with a more favorable estimate of its 
complexity and success rate. In fact this description leads us to consider a deterministic version of 
the algorithm, so that we will be concerned with the problem of establishing how many attempts 
are needed in the worst case to obtain a factor (with probability 1) and what is the least degree of 
the polynomial such that a factor is found with at most a fixed number of attempts. 
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Let a{z) be a polynomial of degree t over Fpm which is a product of irreducible polynomials 
of degree s, i.e. t = s ■ d. 

Let us assume that s = 1 as a first instance and suppose that the trivial factor z does not 
divide cr(z). 

We first deal with the case p = 2, and following [6| we assume that m is even, otherwise 
we would consider a quadratic extension solely for the computations. If a is a known primitive 
element of ¥2^, we define Im = ^~3~^ ^rid p = q^™, which is thus a primitive cubic root of unity in 
the field . 

Let c{z) be a non-constant polynomial over ¥2"^ of degree less than t, and let 

a{z) = c{zY"' mod a{z) 
which is again a polynomial of degree at most t — I. Furthermore, we have 

(C(z)^™ + l){c{zY^ + p){c{zY"^ + = c(z)2'"-l - 1 . 

Now, either gcd{c{z),a{z)) is non-trivial (and thus we already have a factor of a{z)) or else 
0(2;)^'"^^ — 1 = mod a{z). In this latter case, if we write c{z)^"'^^ — 1 = Q{z)a{z) + R{z) and 
specialize it in the roots {zj} of (t{z), we see that R{z), which is a polynomial of degree t — 1, takes 
the value for all t roots, as /S^™"^ — 1 = for any /3 G F2m. This implies that R{z) is identically 0. 
Thus we can write 

(c(z)^™ + l)(c(z)^™ + /?)(c(z)^'- + p2) = (a(^) + l){a{z) + />)(a(z) + p^) = mod a{z) . 

Since every factor of the product {a{z) + l){a{z) + p){a{z) -|- p^) has degree less than t, at least 
two of them must have a common non-trivial factor with (y{z), unless a{z) = I, p, p^. In this latter 
case, the Cantor-Zassenhaus algorithm considers another random polynomial instead of c{z), and 
reiterates the procedure until all factors have been found. 

Notice that a{z) = never occurs, since c{z) has degree less than <t(z), so that at least one 
root of (j{z), say (3, is not a root of c{z); then substituting /3 in the identity c(z)^™ = q{z)a{z) + a{z), 
we get a(/9) 7^ 0, therefore a{z) is not identically zero (this holds even if the roots of a were not in 
the field of the coefficients, as in the original description of the algorithm). 

For the case p > 2, the procedure is similar: we would consider = ^ 2^ and p = a^'" = — 1, 
where a is a primitive element of Fpm. Here we would compute a{z) = c{zY"^ mod a{z) and then 
factor as soon as a{z) / ±1. 

Let us consider now the case s > 1. One option is to look at ¥psm, where the polynomial fully 
splits into linear factors: once a factor z — f3 is found, it can be multiplied with the factors z — fjP"^\ 
with 1 < i < s — 1, to obtain an irreducible factor of degree s. A second option is the application 
of the algorithms over F^m ([5J, [6J), to directly find the irreducible factors of degree s over Fpm. If 
p = 2, the argument follows as above: either gcd(c(2;), a{z)) is non-trivial, or gcd{c{z),a{z)) = 1, 
in which case 

{cizY""" + l){c{zY°"' + p){c{zY'"' + p^) = {a{z) + l){a{z) + p){a{z) + p^) = q mod a{z) . 

Since every factor of the product {a{z) + l){a{z) + p){a{z) + p^) has degree less than t, at least 
two of them must have a common non-trivial factor with a{z) in ¥2"^, unless a{z) = 1, p, p^ . In 
this latter case, the Cantor-Zassenhaus algorithm considers another random polynomial c{z), and 
reiterates the procedure until all factors have been found. 
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For the case p > 2, the procedure is similar: we would consider £sm = ^ 2~ compute 
a{z) = c{zY''"' mod a{z) and then factor as soon as a{z) ^ ±1. 

In the next Section we will present a variant of the Cantor-Zassenhaus algorithm, according 
to the description given above, and then deal with probabilistic as well as deterministic consider- 
ations about its success rate. 

2 An improved algorithm 

We focus first on the case s = 1 and show that it is enough, and indeed convenient, to choose 
c{z) = z as initial test polynomial and to choose c{z) = z + (3, for some random /3 7^ 0, as further 
test polynomial, and continuing by choosing random /3s different from the previous ones until a 
factor is found. A similar approach was already present in lfT3ll for the case of odd characteristic 
(cf. also Q). 

We then consider the case s > 1, where polynomials of degree 1 or s will be involved as test 
polynomials in order to obtain bounds on the number of attempts to find a factor. 

2.1 Case s = l 

Suppose o-{z) is over ¥2^ and z^™- = mod cr{z), i G {0, 1,2}. Now, any element in Fgm can 
be written as a''+^", with k G {0, 1, 2}: we define Aq = {a^* : i = 0, . . . , - 1}, that is the 
subgroup of the elements of Fgm that are cubic powers, and let ^1 = uAq and A2 = o^Aq be 
the two cosets that complete the coset partition of . If we substitute a^^^^ for any root Zj of 
a{z) in z^'" — = Q{z)(t{z), we obtain — = 0, which implies k = i. This means that if 
— pi niod (t{z), then all the roots of a{z) are of the form a*+'^", that is they belong to the same 
coset. When this situation occurs, we consider another test polynomial c{z) = z + fi, which is 
equivalent to testing c{z) = z for the polynomial q{z) whose set of roots is {zi + /?}. The test 
succeeds as soon as we find a j3 such that the roots Zi + (5 do not all belong to the same coset. 

The next step is to determine an upper bound to the number of attempts needed in the worst 
case scenario, or on average, until a factor is found. 

Let us first consider the simple case t = 2: suppose that zi and Z2 belong to the same coset; 
then we look for a /3 such that zi+ f3 and Z2 + (3 are in different cosets. For the worst case scenario, 
we need to know how many pairs (zi + /3, Z2 + /3) have both elements in the same coset. This is 
equivalent to knowing the number of ways in which zi — Z2 = zi+P — {z2+ P) can be written as the 
sum of two elements in the same coset. This number is actually ^ ~^ — 1, as can be deduced from 
IIT9I Theorem 1] specialized with i = and x the cubic character. So at most with ^-3— attempts 
we can factor a polynomial of degree 2. Clearly at each test we can factor with a probability of |, 
so that the expected number of attempts is 1.5. 

If (j(z) is a polynomial over Fpm, p > 2, then the maximum number of attempts is ^ , by 
similar reasoning: we again use some additive properties of residues (llTJ[12Kl4l[19l). At each test 
we can factor with a probability of ^, so that the expected number of attempts is 2. 

The remainder of this paper will be devoted to establishing both probabilistic estimates and 
deterministic bounds on the number of attempts needed to successfully factor, for a generic t. A 
first deterministic, though very loose, bound is the following: 
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Proposition 1 The maximum number of attempts needed to find a factor is upper bounded by im (that is 
^"g"-*- or ^ fa^ P = or p odd, respectively). In particular, in the Cantor-Zassenhaus algorithm it is 
sufficient to consider only linear polynomials as test polynomials c{z). 

Proof. In characteristic 2, if a root Zi belongs to a given known coset, we can test all the Irn 
elements of that coset, tintil we obtain Zi itself: Zi + zi adds to 0, which does not belong to any 
coset. Thus we will succeed with at most (.m attempts. In characteristic p greater than 2, it is 
sufficient to add all the elements of the coset multiplied hy p — 1. 

That it is enough to consider all the p^ monic linear polynomials is anyway clear since com- 
puting gcd{z — /3, cr(z)} for all ^ in F^m would be enough to find all the factors. 

□ 

Remark 1 The above argument implies that, if the first attempt fails, we know which coset the 
roots belong to, and can restrict our choice of P to that coset. 

Remark 2 Alternatively, the upper bounds of the proposition follow from the above remarks 
about t = 2: clearly, if t is bigger than 2, then a degree-2 polynomial is anyway a factor of the 
t-degree polynomial, so that the maximum number of attempts cannot exceed the number needed 
to factor this degree-2 polynomial. 

Remark 3 In the original version of the Cantor-Zassenhaus algorithm, gcd{a{z),a(z)) is com- 
puted when searching for a factor of cr{z), corresponding to the case when gcd{c{z),a{z)) is non- 
trivial. Our version of the algorithm avoids this computation, since it is sufficient to evaluate a{z) 
in f3 with any efficient polynomial evaluation algorithm; this can be done before exponentiating 
to the power i^- 

Remark 4 If g is a prime factor of p"^ — 1, then we may consider the exponent £m = ^-f^'- in 
this case the probability of success is ^=1 and the corresponding expected number of attempts is 
which is close to 1 already for small primes like 5 or 7; the drawback is that, if q is large, 

in the worst case we must check q greatest common divisors, namely gcd(a(2;) -I- C,q,a{z)), for 
< j < g — 1, where C,q is a q-th. primitive complex root of unity. 

2.2 Case s > 1 

If s > 1, either we look for linear factors in F^ms, and the analysis is the same as in the case s = 1, 
or we choose the direct method, as explained in the previous section. In this case, by a similar 
argument as above, the algorithm succeeds as soon as c(zj), zi being the roots of ciiz), are not all 
in the same coset. This is equivalent to ask that non conjugate roots are not all in the same coset, 
as 

c{zfY- = {{cizi)^^^'"^ = {{c{zi)f'"^Y"' = {c{zi)Y^- 

by the properties of the Frobenius automorphism. 

Let us see this more precisely, describing in detail the case p = 2, while a similar argument 
applies in the case of odd primes. Let a{z) be, as above, a polynomial of degree t over F2m, 



4 



which is a product of d irreducible polynomials ai{z) of degree s over the same field F2m, where 
it is not restrictive to assume even m. According to Cantor-Zassenhaus algorithm, a pol5a\omiaI 

c{z) over ¥2^, relatively prime with <t{z), separates a{z) into two polynomials of smaller degree 
if a{z) = c{zY^'^ mod a{z) is different from p^: at least two factors ai{z) are in two distinct 
greatest common divisors between a{z) and a{z) + 1, a{z) + p, and a{z) + p^, respectively. 

Lemma 1 With the above hypotheses and definitions, a polynomial c{z) over ¥2^ separates a[z) into two 
polynomials one containing the factor 0-1(2:), and a second one containing the factor a2{z) if and only if 
c{zY'"' mod cri{z) ^ c{zY'>"' mod 0-2(2;). Equivalently, 0-1(2) and 0-2(2) are separated if and only ifc(zi) 
and c{z2) belong to different cosets A'f^ of¥2sm, where z\ and Z2 are roots ofai{z) and 0-2(2;), respectively. 

Proof. The polynomial a{z) can be written as a product of three polynomials, i.e. 0-1(2:), 0-2(2:), 
and 0-^(2) which collects the remaining factors, thus a{z) can be decomposed, using the Chinese 
Remainder Theorem (CRT), as 

a{z) = ai{z)ipi{z) + a2{z)ij2{z) + ar{z)iJr{z) mod a{z) , V'i(-2) + ^^2(2:) + V'r(-z) = 1 , 

where ai{z) = c{zY''"^ mod 0-1(2), 02(2) = £(2)^^™ mod 0-2(2), and 0^(2) = 0(2)^='" mod 0-^(2). 

If 0(2) = p^, the uniqueness of the CRT decompositions implies that 01(2) = 02(2) = 
ar{z). 

If a{z) 7^ l,p, p^, then c{z) separates a{z) into two polynomials of smaller degree, and we 
distinguish two cases: 

1) 01(2) 7^ 02(2;): the polynomials 0-1(2) and 0-2(2) are in different factors because, if both of 
them were in the same factor, they would both divide the same polynomial a{z) + p^, thus 
ai{z) = a{z) = p'' modulo 0-4(2), i = 1,2, contrary to the assumption. 

2) 01(2) = 02(2): 01(2) and 0-2(2) are in the same factor; in fact, suppose they are not, then 

01(2) = a{z) = p^^ mod 01(2) 7^ 02 (-2) = cl{z) = p''^ mod 0-2(2), yielding a contradiction. 

Also, since a{z) = c{zY''"^ mod a{z) and 0(2) = 0.4(2) = p^' mod (Ti{z), we have that 0(2^)^='" = p^\ 
i = 1,2, which means that c{zi) G A'^,, hence it follows from the first part of the lemma that c{z) 
separates 0-1(2) and 0-2(2;) if and only if c(2;i) 7^ 0(22). 

□ 

Now, as in the case s = 1, we are interested in upper bounds for the number of attempts and 
we can limit the choice of c{z), according to our convenience. For example, if we know at least 
one primitive polynomial m{z) of degree s, we can choose the polynomials c{z) within the set of 
monic irreducible polynomials of degree s, so that we get directly ^ as an upper bound. If we 
do not have any primitive polynomial of degree s, that is no means to get and draw from the pool 
of irreducible polynomials of degree s, then we can choose the polynomials c{z) within the larger 
set of monic polynomials of degree s, and we have the looser bound p^^. Somehow surprisingly, 
we show next that usually it is actually sufficient to consider again linear polynomials. 

Let 'x'zi^) be a non-trivial cubic character over ¥2'^, namely X3 is a mapping from ¥2sm into 
the complex numbers defined as 

^^{aH) = C,^ eeM^, /i = 0,l,2 , 
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a being a primitive element of W^sm, Cs a primitive complex cubic root of unity, and A'q the coset 
of cubes in F2sm. Moreover, we set x'sCO) = by definition. 

If zi and Z2 are roots of two distinct irreducible polynomials of degree s, we denote with 

N2"^\zi, Z2) the number of monic polynomials c{z) = z + jS with /? G F2"i such that X3(c(2;i)) = 

Proposition 2 The maximum number Na of attempts needed to find an irreducible factor of degree s, 
using monic linear polynomials as test polynomials, is upper bounded by ^(1 + ^7= + 2^) ifp = 2, or 

by ^(1 + ifp is odd. In particular linear polynomials are sufficient to find a factor if ^= < 2 or 

< 1, respectively. 

Proof. In the case of characteristic 2, Na is upper bounded by the maximum 0fN^"'\zi,Z2) + l 
taken over all distinct pairs of roots zi and Z2 of distinct irreducible polynomials of degree s. Thus 

an upper bound for A^2™'' {zi , Z2) independent of zi and Z2 is also an upper bound for Na — 1. 
Consider the indicator function 

/^;(c(..)) = i±M(£M±iM£(5)) , = 1,2, 

which is 1 if the cubic character of c{zi) is C3/ and is otherwise, if we suppose c{z) relatively 
prime with (t{z). 

Therefore, for a given c{z) we have a coincidence whenever the product /^j (c(zi))/_4/ (0(22)) 
is 1. Thus, 

j2lA'M'^))lA'M'2)) = 1(1 + X'3{C{Z1))X'3{C{Z2)) + X'3(C(^1))X'3(C(^2))) 

is the coincidence indicator for a fixed polynomial c{z). Summing over all monic linear polynomi- 
als z + /3 over F2"i, we get the total number A'^^'"'* {zi ,Z2) of coincidences 

Nt\z,,Z2) = l (l + X3(^l + /3)X3(^2 + /3) + X3(^l+/3)X3(^2 + /3))-^ , 

/3GF2m 

where — | comes from excluding those polynomials z + (3 having zi or Z2 as root. We split the 
summation in three summations, the first summation is simply 2™, and the second and third 
summations are complex conjugated, thus it is enough to evaluate only the summation 

C= Yl X3(^l+/3)X3(^2 + /3) . 

This summation is hard to evaluate in closed form, thus we content ourselves with a bound. 
Namely, as X3 can be considered as the lifted character of a nontrivial character X3 over ¥2^^ ||9j|, 
we can write 

<^ = ^ X3 {Nf,^s (^1 + /3) ) X3 {Np^,ns /F2miz2+P)), 
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1 AT / \ • 9""^ 9m(s — 1) 

where Np^rr^s /F^m [x) = x ■ x'' • • • 

Since Np^^^/p^^ {zi + (3), i = 1,2, are polynomials of degree s in jS, and xa = xi^ we can then 
use the Weil bound (1161 Theorem 2C']; cf. also Il8l,|l20l Lemma 2.2]) to obtain 

C < (2s- l)2""/2_ 
In conclusion we obtain Na bounded as 

Na < — (1 H ^ H ) • 

3 \/2™ 2"^ 

The same argument works similarly for p odd, and making the appropriate changes the conclusion 
is 

Na < ^(1 + 



2 Vf^ 

□ 



In the following we analyse the algorithm more in detail both from a probabilistic and a 
deterministic point of view; in particular we will show that the maximum number of attempts to 
get a factor is usually very small, so that the algorithm, which is probabilistic in nature, can often 
be considered deterministic. In order to simplify the subsequent analysis, we will suppose that 
s = 1 from now on. 



3 Probability of factoring 

The Cantor-Zassenhaus algorithm is very efficient in factoring polynomials, but is not determin- 
istic. We can show, however, that the maximum number of attempts, following the modified 
version above, decreases exponentially with the degree of the polynomial, so that the probability 
of factoring with one test is close to 1 when the degree is large enough. 

Making the reasonably assumption that the set of {zi + /3} for some /3 is made up of elements 
which belong to each coset Ai with probability 1/3 (or 1/2 in the case p > 2), independently of 
one another, then 3 • ^ is the probability that they all belong to a common coset of the three cosets 
(and 2 • ^ in case of the two cosets in F*™, p > 2). Therefore the number of attempts to obtain a 
factor, in the worst case scenario, is roughly and ^rrr respectively. And the expected number 
is YTZIT = 1 + 3t-i-i or 1 + 2t-\-i - 

Furthermore, suppose we fail at the first attempt, then we can choose /3 within a certain coset, 
and the probability of failing at the next n attempts is only g^r- 

Clearly, once a factor is found, the polynomial splits into two parts to which we will re-apply 
the previous computation if we are interested in a complete factorization, untill all linear factors 
are obtained. 
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4 Deterministic splitting I: fixed t 



If we use the proposed variant of the Cantor-Zassenhaus algorithm, the tightest upper bound to 
the number of attempts necessary to split a polynomial a{z) of degree t over is equal to 



1+ max N2it), 



where (t) is the number of solutions /? of a system of t equations in F2™ of the form 

a^zf + 13 = a^y\ 



(1) 



where a^zl,a'^Z2, • • • , a'-zf are given and distinct (i.e. they are the roots of cr{z)), whereas the yiS 
must be chosen in the field to satisfy the system, and the three values {0, 1, 2} for k and i are all 
considered. However, we may assume i = 0, since dividing each equation by a*, and setting 
/3' = f5a~^ and k' = k — i mod 3, we see that the number of solutions of the system is independent 
of i. If the system is unsolvable, then the number of attempts is 1. 

To evaluate N2{t), we define an indicator function of the sets Au using the cubic character, 
namely for every x / 



l + C3'X3(x) + Ci^X3(3;) 



1 if X G Aj 
otherwise 



0,1,2 , 



(where the bar denotes complex conjugation). Then, given a Zi we can partition the elements 
/? / in ¥2^ into subsets depending on the k G {0, 1, 2} such that X3(/3 + zf) = C3 • Therefore, a 
solution of ^ for a fixed k and i = is singled out by the product 



i=l 



i=l 



(k) 

where each cr) is a homogeneous sum of monomials which are products of i characters of the 
form xsiP + zl) or xsi^ + zf). Thus N2{t) is 



N2it)= Yl 



mzf} 



n IAo iP + zf) + ll I A. (/3 + zl) + n I A, (/? + zf) 



.1=1 



1=1 



i=l 



(2) 



The roots Zi in the sum need not be considered, since in any case they are not solutions {zf + = 
cannot be in the same coset as zf + z| if i / j). 

Similarly, in characteristic greater than 2, the tightest upper bound to the number of attempts 
necessary to split a polynomial a{z) of degree t is equal to 

1 + max Np{t), 
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where Np{t) is the number of solutions /3 of a system of t equations in F^m of the form 

a^zf + /3 = a'^ul 
a*z| + /3 = a'^yi 



, a'zi + l3 = a^yl 



(3) 



where a^z^, a*2;|, • • • , a*z| are given and distinct and the two values {0, 1} for k and i are consid- 
ered. Again, we may assume i = and we can define an indicator function of the sets Bu using the 
quadratic character, where Bq is the set of squares and Bi the complementary set in F*m : namely, 
let X2 be a mapping from F*m into the complex numbers defined as 



X2{aH) = {-if 

Again, we set X2(0) = 0. 

The corresponding indicator function is thus 



G ^0, /i = 0, 1 



IbAx) 



1 + {-iyx2{x) 



1 if X G Bj 
otherwise 



J = 0, 1 . 



Given a Zi we partition F^m \ {zf} into subsets depending on the value of k, such that X2{P + 
(— 1)*^. Therefore, a solution of (O for a fixed k is given by the product 



where each ai is a homogeneous sum of monomials which are product of i characters of the form 
X2{P + zl). Thus Np{t) is 



Np{t) 



E 



+ zl) + zf) 



.1=1 



(4) 



The following subsections deal with computations of Np{t) for small values of t, then with 
general bounds on Np{t). 



4.1 Computations for small t 

In the following computations, we will use some properties of nontrivial characters that we briefly 
mention: Y^^^y, x{x) = 0; if /3 / 0, then Y.^^y, x{x)x{x + P) = -I (IBIIII). Moreover, 

E Xz{x)xz{x + l) = G^{l,x) = -{-2r'\ 

with Gm(l, x) being the Gauss sum (|15|). 

We will start with the case p = 2. First we compute N2{2), already found above with another 
technique, then analogously A'^2(3). 
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t = 2. Setting Xi = j3 + zf , we have 

fllA,{xi) = l(l + a[''^+4^) h = 0,l,2, 
i=l 

where 

C^f'' = C^X3{XI)X3{X2) + X3(a;i)X3(a;2) + X3{XI)X3{X2) + (tx3{xi)X3{x2) 

Since af^ + a^^^ + af^ = and af^ + 0-2^^ + af^ = 'i{x3{xi)x3{x2) + X3{xi)X3{x2)), the sum of 
the three products HLi ^Akixi) is 5 (1 + X3{xi)x3{x2) + X3{xi)x3{x2)), and thus the sum over /3 
in the whole field ¥2"^, with the exclusion of P = zf and P = zf, is 

iV2(2) = 1 j 2™ - 2 + (X3(^ + zf)x3iP + zl) + X3(^ + zl)x3iP + zD) 

Let S denote the above summation, then S can be evaluated m closed form: by the substitution 
fi = z\ + r], since X3 is a nontrivial cubic character, we have 

S= Yl {X3{V)X3{V + zf + zl) + X3{V)X3{V + zf + zD) = -2 , 

as the summation of each of the two parts gives — 1 (zf + 7^ by hypothesis). In conclusion, we 
have 

iV2(2) = l(2--4) , 

so that 

1 + max 7V2(2) = J (2"^ - 1) . 

t = 3. In this case 

n + = ^ (1 + ^1'' + ^2'' + 4^) h= 0,1,2, 

i=l 

where 

^ = Ci''X3ixi) + C^X3{xi) + Cl\3{x2) + CH3{X2) + Cl'^Xsl^s) + C^Xsla^s) 
(^'2'' = C3X3(a;i)x3(3^2) + X3(a:i)x3(a;2) + X3(a:^i)X3(a;2) + C3''X3(a;i)X3(a;2) + 

C3X3(a;2)x3(a;3) + X3(a;2)x3(a;3) + X3(a;2)x3(a;3) + 'X3(a;2)x3(a;3)+ 
C3X3(a;3)X3(a;i) + X3(a;3)X3(a;i) + X3(a;3)X3(a;i) + C|''X3(ar3)X3(a;i)+ 

crf^ = X3(a;i)X3(a;2)X3(a;3) + X3(a;i)X3(a;2)X3(a;3) + C3^X3(a;i)x3(a;2)X3(a;3) + 

C3^X3(a;i)x3(a:^2)X3(a:^3) + C3^X3(a;i)x3(a;2)X3(3;3) + C3X3(a;i)x3(a;2)X3(aJ3)+ 
C3X3(a;i)X3(a;2)X3(a;3) + C3X3(a;i)x3(a;2)X3(a;3) 
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We thus have 

a^ + al+af = 

al + al + al = 2>{x2.{xi)x^{x2) + X3(a;i)X3(a;2) + X3(a;2)X3(a;3) + X3(a;2)X3(a;3)+ 

X3(a;3)x3(a;i) + X3(a;3)X3(a;i)) 
o"3 + <^3 + ^3 = 3(x3(a;i)x3(a;2)x3(a;3) + X3(a;i)x3(a;2)x3(a;3)) 

In the summation over ^ of the sum of the three products, the values of ^ = zf,Z2,z^ should be 
excluded. Thus we must compute 

^2(3) = M2--3+^ 5] [(^0 + ^l + ^2) + ^^0 + ^l + ^2)] j _ 

Therefore, two types of summations must be evaluated, namely 

S2= Yl X3iP + zf)x3if3 + zl) and ^3 = X3(/3 + ^?)X3(/3 + ^i)X3(/3 + 4) , 

the remaining ones being obtained by symmetry or complex conjugation. Considering S2, and 
defining for short yi = Z2 + z^, 1/2 = zf + zf, and 2/3 = ^1 + ^i' have 

-52 = -X3(y2)X3(yi) + Y XsiP + zf)X3{P + 4) = -X3(y2)X3(yi) + XI X3{x)X3{x + ys) , 

thus ^2 = -X3(y2)x3(yi) - 1- Considering ^3 we have 

^3= X X3(/3 + 4)x3(/3 + 4)X3(/3 + 4) = X X3(x)x3(a; + y3)x3(a; + y2) 

thus, with the change of variable x = 1/z, since the character is cubic we obtain 

83= V X3(l + 2;y3)X3(l + ^?/2) = V X3(^)X3(^- + 1 + -) 

^^0,1/2/2, 1/2/3 ^7^1,0,1+2/3/2/2 

S3 = X3(2/2)X3(y3) V X3WX3(^ + 1 + -) 

X^l,0,l+2/3/2/2 ^ 

= -l+X3(2/2)X3(y3) Yl X3(^)X3(^ + 1 + -) 

= -1 + X3(y2)X3(y3)X3(yi) Y X3(a:;)X3(a; + l) . 

a;eF2?n 

In conclusion, we obtain 

Ar2(3) = i [2™ - 11 - (-2)f [x3(2/iy2y3) + X3(2/iy2y3)] - (x3(yiyi) + X3(yf2/2)+ 
X3(y2y3) + X3(2/22/3) + X3(y3yi) + X3(y3yi))] 
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Note that, if = (which corresponds to choosing /3 in one particular coset), then y2 and 1/3 are 
cubes, and the number of solutions is 

m^) = ^ (2- - 13 - [(-2)¥ + 2][x3(yi) + X3{yi)]) ■ 

Finally we focus our interest on the maximum over the Zi and obtain 

1 ^ / A(2™ + 2'^/2 - 2) for m/2 even 

' + ""'^^^ = I 1(2- + 2-/2+1 + 1) fo, odd • 

Let us deal now with the case p > 2: 

t = 2. In this case, we have 

2 



i=l 

where a[^^ = {-l)^X2{xi) + {-I)''x2{x2), and fjf ^ = X2(.ti)x2(.t2). 

Since cr[*^-* + a\^^ = and cr2'''' + = 2(x2(a;i)X2(iC2))/ the sum over /? in the whole field ¥pm 
with the exclusion of /3 = — and /3 = — is 

W) = Mp"^-2+ (x2(/3 + ^?)X2(/3 + ^i)) ) ■ 

Let S denote the above summation: we evaluate it in closed form by substituting (3 = rj — zf; since 
X2 is a nontrivial quadratic character, we have 

S= E (x2(r?)X2(^ + ^i-^D) = -l , 

the summation being independent of the term — zf, which is non-zero by hypothesis. In con- 
clusion we have 

iVp(2) = i (p™ - 3) , 

so that 

l+maxiVp(2) = l(p"-l) . 



t = 3. In this case 

3 



IllB,iP + zf) = l{l + a{''^ + 4'^+a^^^) h = 0,l , 
1=1 

where erf ^ = (-l)''x2(a:i) + (-l)''X2(a;2) + (-l)''x2(a;3), erf ^ = X2(a;i)x2(a;2) + X2(a;i)x2(a;3) + 
X2(a:2)X2(a;3), and erf ^ = (-l)'*X2(a;i)x2(a;2)X2(a;3)- 
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Since a^ + al = 0, ct^ + cj| = 2(x2(2;i)x2(a:2) + X2(2;i)x2(2;3) + X2(a;2)X2(a;3)), and a^ + al = 0, 
the summation over (3 of the sum of the two products, where the values of /3 equal to — , — 
and — z| are excluded, becomes 

= \\ P"'-^+ Yl [X2(xi)X2(2:2) + X2(X1)X2(X3) + X2(2;2)X2(X3)] 

We thus need to evaluate only one type of summation, namely 

^2= Yl X2{P+zl)X2{P+zl) = Y X2{'n)X2{'n+zl-zl) = -l-X2{zl-zl)x2{zl-zl), 

" / i_ ' z > o 2222 

the remainder being obtained by symmetry. In conclusion, we obtain 

iV,(3) = 1 [^,- - 6 - (X2(^? - zl)x2{zi - zl) + X2(^? - zl)x2{zl - zl) + X2(^| - ^?)X2(^i - zl))] . 
And , if we consider the maximum, we have 

1+ max iVp(3) == <^ + 1) p = 4A; + 3, m odd 

y p = 4A; + 3, meven 



4.2 Bounds 

As the number of equations in system [T] or |3] becomes larger, exact computations become less 
meaningful for our purpose, as it would then be necessary to think about estimates and bounds 
on rather cumbersome expressions. We will thus shift our interest to a general upper bound for 
the function Np{r); we will first deal with the case p = 2, then the case p > 2. 
Consider equation Q written as 

^2(0 = ^ Y ["^0 + ^1+^2] , (5) 

where 

r 

q3fc = 3^J]/^,(x,) = l + fTf)+fTf) + --- + fTW k = 0,l,2 , 
1=1 

Xi being /3 + zf, and each a^^^ is a sum of monomials which are products of the same number j of 
distinct variables (characters) xai^i) or Xsi^i), possibly times Cs or Cf - In particular the number of 

addends in u,-'^'* is 2-' ( ^. ]. 

^ \3 J 

Define aj = af + af^ + af for every j = 1, . . . ,r; then aj contains fewer addends than any 

since all monomials multiplied by either (3 or ^| are canceled out with monomials multiplied 
by 1, and the surviving monomials are multiplied by 3 (see also the examples above). In particular. 



13 



cJi is zero; 0-2 is a sum of monomials of the form X3{^i)X3ixi) {i, I distinct), whose total number is 



r 



2 1^ 2 j'^'^^^^ sum of monomials of the form X3i^i)X3i^i)X3{xm) (i, I, mall distinct), whose total 
number is 2 ^ ^ ^ ; and (T4 is a sum of monomials of the form X3{xi)x3{xi)x3{xm)X3{^s) {i,l,m,s 

all distinct), whose total number is 6 ^ ^ ^ . In general, the number of surviving monomials of 

degree j can be computed by considering that each monomial is a product of ni characters and n2 
complex conjugate characters; thus ni + n2 = j. Supposing that X3{xi) are multiplied by Cs and 
X3{xh) are multiplied by Ci, the surviving monomial satisfies the condition ni + 2n2 = mod 3. 
Therefore, the admissible values of < 712 < j satisfy the condition n2 = 2j mod 3: if e = 2j mod 3 

and e G {0, 1 , 2}, the number of surviving monomials is ^ ^ ^ aj , where aj = YlhJo ^ e + 3h ) ' 

with {aj}z>i = 2, 2, 6, 10, 22, 42, 86, 170, 342 .. . matching the sequence A078008 in lEl with the 
first two terms disregarded. We observe now that the product of j characters, whose arguments 
are distinct linear functions of /3, can be interpreted as a single character whose argument is a 
polynomial f{/3) with j distinct roots: by [16, Theorem 2C'], each sum of these characters is upper 
bounded by {j — l)\/2™, so that 



/ — or-l 



i=2 

The summation above is evaluated as follows, using the expression aj = ^ Yl'h=o C3^'^^(l + C3 )"' for 
the sequence aj as can be found in ||2H3H8l: 

; ) =E^Ec3-"(i+c3Vo--i)( ; ) = lttc3'%i+c!^yu-i)(])- 

3=2 V / i=2'^h=0 ^h=Q3=2 

Now, observing that e = — j mod 3 and Cs is a cubic root of the unity, we may substitute C3"' for 
C-^'^'^ and write (C3 + for (\ + C3 in the last expression, which we then write as 



\ E i:(C3Vcl^)^o--i) ( ; ) +1 = 1+^ E ( E^-(C3^ + ^fy [\\- tic^ + cl'y 

h=Oj=0 \ J / fi^Q \j=0 \ J / 

Using the binomial sum and its derivative, we finally obtain 

E «.(^- - 1) ( • ) = 1 + ^ E + cl'yi + + cl'y-' - (i + C3^ + cl'y) 



j=2 ^ - ' h=0 

that is 



E«^(j'-l)(^)=l + J[2r3 



r-l 
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because (1 + C3 + Ci^) is 3 when h = and is otherwise. In conclusion 



N2{r) < 2™ + V2"^ -r + 3''-^{2r - 3)V2 



where wesee that, when 3''~^(2r-3)V2™^-r+V2™^ << 2'",roughlyr << m/2, theniV2(r) ^ 
so that this deterministic bound supports the probabilistic estimate discussed above. 



In the case p > 2, consider equation (HJ written as 



(6) 



where 



Qk = 2^llIBd^^) = 1 + ^rf ) + + ■■■ + a^''^ k = 0,l , 



4 = 1 

Xi being /3 + zf, and each crj'^^ is a sum of monomials which are products of the same number j 

of distinct variables (characters) X2{xi)- In particular, only (jf'^s with even subscripts occur, and 
clearly they are the elementary symmetric functions of r variables; thus the number of addends in 

The same argument used to upper bound N2{r) also applies here, in this case the 



(fc) . 
a] IS 



sum of products of j characters is bounded as {j — 1)a/p™' by 116, Theorem 2C'], so that 

1 



Np{r) < 



2r-l 



p — r 



-E(i-)(;) 



/p" 



which, after some manipulation, can be written as 

Np{r) < ^ [p- - r + [r-\r - 2) + 1]V?^] , 

and we see that, when [2'^^^{r — 2) + l]^/p^ — r << p^, roughly r << ^ log2P, then Np{r) 
as in our probabilistic estimate. 



5 Deterministic splitting II: fixed N 

This section examines the smallest t such that the algorithm succeeds, in at most 1 or 2 attempts: 
we will call these to(l) and to(2)/ respectively. 

Clearly, to(l) = + 1/ since there are exactly elements belonging to a given coset; then, if 
t > irn, the algorithm succeeds at the first attempt. 

To evaluate to (2), we must examine the number of representations of a /3 / in the field 
being the sum of an element in a given coset and an element in another (possibly the same) given 
coset (see also IIT2l[Tn[T4l ). We then consider the maximum M, over /3 7^ in the field and over all 
possible pairs of cosets, so that to (2) is 1 + M. 
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For the case of the cubic character, M can be calculated as follows: 



M = max > 



1 + Cl'xziz) + CiMz) 1 + C|*X3(/3 + z) + ax3(/3 + z) 



which is the maximum over i, j, /3 of the following expression: 

i [2- - 2 - xsimi + Cs') - umi + ci) - Cs^' - ci^'' - i-^r'^cf^'^xm + ci'-'xm) 

where we have again exploited the relations ExeFam X2.{x) = 0, E^eFam Xz{x)xz{x + /3) = -1 and 
E.eF^™ X3(x)x3(x + 1) = G„(1,X3) = -(-2)-/2 Then we have 

r i(2" + 2™/2 - 2) for m/2 even 
~ \ i(2"^ + 2"^/2+i + l) for m/2 odd ' 

For the case of the quadratic character, we consider similarly 

i + {-iyx2{z) i + {-irx2{P-z) 



M = max y 



max , 

iJ,/3 I 4 



X2m-ir - X2m-iy - (-i)*+^x2(-i)) 



therefore 



M={ + p = 4/c + 3, modd 

— 1) p = 4/c + 3, m even 



Remark 5 It is interesting to notice that M, which is the maximum t such that it is still possible 
to fail splitting a polynomial of degree t with two attempts, is equal to the maximum number of 
attempts to split a polynomial of degree 3. Similarly, 1^ is at the same time the maximum t such 
that it is possible to fail splitting a polynomial of degree t at the first attempt and the maximum 
number of attempts to split a polynomial of degree 2. 
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